[00:00.000 --> 00:06.720]  Thank you so much and thank you completely to the IoT village and all the volunteers and the staff
[00:06.720 --> 00:14.800]  because I know we are coming down to the wire and they have got to be exhausted and just,
[00:14.800 --> 00:21.320]  you know, kind of melting in all of this. So thank you all to the team. Let's get started
[00:21.320 --> 00:28.420]  because I have to get off of this slide before it gets evil and comes out and does attack.
[00:28.420 --> 00:37.840]  Do you know how hard it is to find a refrigerator like this? Anyway, this is who I am. I am the CEO
[00:37.840 --> 00:44.080]  of B-Sides Chicago. I was the COO for Diana Initiative last year. I also am part of B-Sides
[00:44.080 --> 00:50.240]  Pittsburgh. Why? Because I live in Pittsburgh currently. My first DEF CON was number three.
[00:50.240 --> 00:56.620]  How many people are that old? There were 16 speakers then. I have got a lot of years in
[00:56.620 --> 01:04.400]  security emphasis in blue teams. I used to be purple. I do a lot of DEF SEC ops. I sort of was
[01:04.400 --> 01:10.140]  based in Pittsburgh the last year and a half but in 16 more days I will be in beautiful Kirkland,
[01:10.140 --> 01:16.080]  Washington. I can't wait. I am a natural creature of winter and you will typically find me as you
[01:16.080 --> 01:23.360]  will see right here sipping a Casanova while simultaneously defending my systems using open
[01:23.360 --> 01:28.880]  source magic spells and dancing flamingos. We don't have time for dancing flamingos but we
[01:28.880 --> 01:42.020]  damn well have time for tequila. Oh great. And now I'm coughing. That never happens. Wow. Honeypots,
[01:42.020 --> 01:49.900]  refrigerators and internet of threats. I like to call it that instead of internet of things.
[01:50.880 --> 01:55.640]  But yeah, these are some of my absolute favorite things. We're going to talk about this stuff.
[01:55.640 --> 02:02.000]  And oh yes, I'm a drummer too if you haven't quite figured that out. All right. The views here and
[02:02.000 --> 02:08.700]  opinions and everything I show you today are mine. They are no one else's. Definitely not any my
[02:08.700 --> 02:17.120]  employer, past or present. Please take anything I show you with a grain of salt. Don't try this at
[02:17.120 --> 02:27.360]  home as they say on, oh God, I just forgot the TV show. Oh well. It's one of those days. And
[02:27.360 --> 02:31.480]  those of you with an overwhelming fear of the unknown will be happy to know that if you read
[02:31.480 --> 02:37.600]  this disclaimer backwards, there is no hidden message that will be revealed. Although some
[02:37.600 --> 02:43.660]  people want me to put one in there. I think I may do that the next time. All right. Why are we here?
[02:44.340 --> 02:49.660]  Couple of important points. I always like to present this in any of my talks. And I need to
[02:49.660 --> 02:55.860]  update it for 2019. I just have to get the information on it. But let's just look at 2018.
[02:56.200 --> 03:05.180]  In 2018, companies spent over $114 billion on fancy software, fancy hardware, you know,
[03:05.180 --> 03:11.820]  all the blinky boxes, the blinky software, all that crap. Attacks and breaches continue to go up.
[03:11.820 --> 03:17.620]  The security stuff that we buy, whether it's EPP, whether it's firewalls, whether it's who
[03:17.620 --> 03:24.720]  knows whatever it is, it's vulnerable. Another very important point that I always like to make
[03:24.720 --> 03:34.300]  is lateral movement is so often overlooked. I'll talk about that coming up a little bit more.
[03:34.300 --> 03:40.840]  Then think about this. What about... I've actually had people tell me that,
[03:40.840 --> 03:47.640]  ooh, our security architecture is incredibly unique. Really? I don't think so. There's not
[03:47.640 --> 03:55.780]  that many ways to make it unique. Also, what is your typical day? Normally, I'm in a room
[03:55.780 --> 04:03.280]  presenting this, so I would say by a show of hands, how many of you spend 50% of your time
[04:03.280 --> 04:10.980]  checking boxes that have to do with compliance? I can't see if you're raising your hands,
[04:10.980 --> 04:15.260]  but pretend you are and put it in Discord, because I'd be really curious to look once
[04:15.260 --> 04:23.020]  I get off this screen. If you don't have this book, I recommend that you get it. It's called
[04:23.020 --> 04:29.800]  Offensive Countermeasures by John Strand. And this quote is directly out of this book. I love it.
[04:29.800 --> 04:36.560]  Instead of brilliance, we've standardized mediocrity. And what I take from that is the
[04:36.560 --> 04:41.920]  fact that, yeah, we just go out and spend a few bucks here and there. We buy some common
[04:41.920 --> 04:48.680]  off-the-shelf hardware, software, whatever. We plug it in, and we go, woo, we're protected.
[04:48.980 --> 04:54.420]  I don't think so. If that were the case, there wouldn't be the Equifaxes of the world,
[04:54.420 --> 05:03.400]  the Capital Ones, and so on. All right. I love this cartoon, because this kind of says it all.
[05:03.400 --> 05:07.920]  In this corner, we have firewalls, encryption, antivirus, software, et cetera, et cetera,
[05:07.920 --> 05:15.760]  et cetera. And in this corner, we have Dave. And the best part about this is up until recently,
[05:15.760 --> 05:22.680]  my boss, his name was Dave. And when I showed him this, I just couldn't stop laughing,
[05:22.680 --> 05:31.100]  because it was perfect. But it really is true, right? Because it's all about our users that
[05:31.100 --> 05:37.220]  continue to do things or get compromised or something happens. And we need a way to figure
[05:37.220 --> 05:45.780]  it out, especially in two aspects of it. One, we're all working remotely. And two, we have a lot
[05:45.780 --> 05:57.300]  of IoT stuff on our networks. So we have to do something about that. Also, I saw this just the
[05:57.300 --> 06:06.300]  other day. This $12 course can turn you into an ethical hacking pro. I guess I did it wrong. I
[06:06.300 --> 06:11.800]  don't know. I went to school for this. Although, I was a music major, so what do I know? Now,
[06:11.800 --> 06:16.520]  I just have to put that up for your entertainment, because I do think it's kind of funny. Don't fall
[06:16.520 --> 06:25.440]  for these scams. Most of these courses are crap. Honestly, set up a lab in your environment. I'll
[06:25.440 --> 06:32.300]  give you one little tip. Whenever I interview people, one of the first questions I ask engineers,
[06:32.300 --> 06:37.880]  security engineers, and so on, is tell me about your home lab. I have actually had security
[06:37.880 --> 06:44.820]  engineers tell me, I don't have time for that. Really? Next. So keep that in mind. You better
[06:44.820 --> 06:51.740]  have a really good home lab. This is something I want to point out, because these are screenshots
[06:51.740 --> 06:59.020]  from a recent security conference before COVID, before we went to virtual conferences. I was
[06:59.020 --> 07:06.660]  physically at a conference. It doesn't matter which one. But the point here is this. Here I
[07:06.660 --> 07:14.720]  had a GoPro that allowed me to connect to it. And I actually started taking screenshots from
[07:14.720 --> 07:20.640]  this person's GoPro. I was trying to figure out where they were in the room based on the shots I
[07:20.640 --> 07:27.600]  was able to see. I had another device that was attempting to pair with me. I actually was able
[07:27.600 --> 07:36.000]  to pair with it. I also was running an evil AP, and I was kind of capturing all the SIDS that were
[07:36.000 --> 07:43.400]  running around this particular security conference. The point is, I usually do this every year at
[07:43.400 --> 07:48.860]  DEF CON. So if you see me walking around, I'll usually have a purse, and in that purse will be
[07:48.860 --> 07:56.700]  my evil AP. And the beauty of carrying a purse is it hides very neatly in your purse. But I look at
[07:56.700 --> 08:02.400]  all of this stuff, and I kind of analyze it when I get back. And it's fascinating to me that as
[08:02.400 --> 08:09.260]  security professionals ourselves and hackers and so on, we make the same mistakes that a lot of
[08:11.040 --> 08:18.860]  amateurs and new people make because they don't clear out their Wi-Fi. They don't do things that
[08:18.860 --> 08:25.460]  they should be doing. There was also one other thing. This morning I was kind of bored. I put
[08:25.460 --> 08:30.480]  up a new spice rack in my kitchen, so I took a picture of it. I wanted to share that with everyone.
[08:31.140 --> 08:38.700]  Yes, you should all be laughing right now. If you're not, oh well, I tried. All right,
[08:38.700 --> 08:46.480]  why are we not here? Well, first of all, it's not a demo of 5,000 different kinds of honeypots.
[08:46.480 --> 08:52.920]  That would be kind of silly. I have 45 minutes. It's not going to work very well. I'm not going to
[08:52.920 --> 08:58.960]  show you all of my honeypots. If you follow me on Twitter, you know I have honeypots all over the
[08:58.960 --> 09:06.600]  world. I have them scattered everywhere. I have them in my apartment. I have them in a lot of
[09:06.600 --> 09:12.960]  different places. Showing you my honeypots would be counterproductive. It's not going to do anything,
[09:12.960 --> 09:20.040]  but I will show you some without showing you where they're located, and they'll make a point.
[09:20.960 --> 09:29.440]  Oops, I have to come back, sorry. The whole point of this is there must be a better way
[09:29.440 --> 09:37.020]  to do security, because if we keep spending all this money, there really has to be a better way,
[09:37.020 --> 09:42.940]  and I think honeypots are the way to do it. Let's quick talk about what is an incident or a breach.
[09:43.200 --> 09:49.280]  Some key points, most breaches are not zero-day. They're not fancy. You don't get breaches from
[09:49.280 --> 09:57.200]  vulnerability scanners. Most breaches come from configuration issues. Ooh, this interests me,
[09:57.200 --> 10:06.560]  because it opens up the door to how I can modify my honeypots. A close second is compromised
[10:06.560 --> 10:15.020]  credentials. I worked at a company many years ago where, well, most companies are smart enough that
[10:15.020 --> 10:21.560]  they will change the administrator account in their domain. They don't want it to be administrator,
[10:21.560 --> 10:28.840]  but why don't you put back an administrator account and make it a honey credential? Think
[10:28.840 --> 10:34.400]  about that. We'll talk about that a little bit more. Also, trailing in third are overprivileged
[10:34.400 --> 10:42.680]  users. That's not going to fit well into our honeypots as much as everything else.
[10:44.080 --> 10:51.960]  Let's look at a couple of quick examples of IoT issues. This was a funny one. A university was
[10:51.960 --> 10:59.360]  attacked by its own light bulbs, vending machines, and lampposts. Answer a question for me. I know
[10:59.360 --> 11:05.620]  you can't, but you could in Discord. What in God's name were the light bulbs, the vending machines,
[11:05.620 --> 11:13.800]  the lampposts doing on the same network as the rest of the university? It should not have been
[11:13.800 --> 11:22.380]  there. Also, there are industrial issues that we deal with all the time. An oil rig was shut down
[11:22.520 --> 11:29.240]  a couple of years ago. Why? Because there was an IoT sensor on the oil rig that actually detected
[11:29.240 --> 11:36.640]  whether the oil rig was tipping. It was an ocean oil rig. Somebody got in. They made the sensor
[11:36.640 --> 11:43.860]  read. I want to say it was like a 12 degree tilt and the sensor was set. If it went to 10 degrees
[11:43.860 --> 11:50.600]  or over, then it would shut down the oil rig. Nobody bothered to check that damn sensor to
[11:50.600 --> 11:56.100]  see if it was misreading or something was wrong with it. Also, there was a blast furnace that
[11:56.100 --> 12:03.340]  happened to have been owned by the government. It malfunctioned, so to speak. Well, what happened
[12:03.340 --> 12:09.000]  was somebody got into it. They raised the temperature, shut off the shut off valves.
[12:09.000 --> 12:17.260]  The way this kind of solved itself was very simple. It melted. It melted down. No one was hurt.
[12:17.260 --> 12:23.560]  Although, if you were a blast furnace, I guess you might have been hurt in that particular case.
[12:23.560 --> 12:31.860]  This one I will never understand. Why are toilets connected to networks? Seriously. I mean, are we
[12:31.860 --> 12:39.000]  what? We're monitoring water? I don't know. But this happens all over Europe and Asia and so on.
[12:39.000 --> 12:47.660]  It does bring new meaning to the word system dump. But anyway, yes, I would never put a toilet
[12:47.660 --> 12:53.780]  on the network. All right. Now we're going to talk about one of my favorite things,
[12:53.780 --> 13:01.320]  honeypots. I love them. I think they are much more valuable than people give credit.
[13:01.780 --> 13:08.480]  Honeypots or deception technology. People have changed the name lately. They love to call them
[13:08.480 --> 13:15.440]  deception technology. Why? I don't know. They wanted something that sounded more professional.
[13:15.440 --> 13:22.460]  I guess deception technology. And yet I have found many commercial honeypots are nothing more
[13:22.460 --> 13:31.500]  than open source versions that have been repackaged with a fancy front end and a distribution model
[13:31.500 --> 13:39.560]  that allows it to be deployed to your environment much easier. But it's still the open source
[13:39.560 --> 13:48.080]  solution. So why can't I do that myself with an open source honeypot, maybe Ansible, Puppet,
[13:48.080 --> 13:55.240]  Chef, whatever is your tool of choice, use that to deploy your honeypots and manage them.
[13:55.340 --> 14:02.360]  Maybe we can. But think of a honeypot as nothing more than a resource with no value.
[14:02.360 --> 14:12.160]  The value of that honeypot is someone using the resource. My honeypots are attacked all the time.
[14:12.160 --> 14:19.340]  I typically will not set my honeypots up to hack back. Who knows? Maybe someday I will.
[14:19.340 --> 14:28.320]  But I haven't done it yet. Also, these are incredibly important points. Probably the
[14:28.320 --> 14:36.400]  most important aspect of honeypots is deployment. Where are you going to put them? I made a comment
[14:36.620 --> 14:43.140]  a few minutes ago. I have honeypots all over the world. I don't just put them out just randomly
[14:43.140 --> 14:50.760]  for the hell of it. There might be a couple that I might just place in a country on a VPS somewhere
[14:50.760 --> 14:57.560]  just to see if it gets attacked. But most of them are very strategically placed, especially within
[14:57.560 --> 15:04.360]  my own environment, my own networks, etc. So think about it. We're going to talk about that detail
[15:04.360 --> 15:13.440]  coming up. Architecture. Customization. In other words, planning. You know, there are hundreds,
[15:13.440 --> 15:20.520]  thousands, I don't know, I've lost track. There are hundreds of types of honeypots out there.
[15:21.040 --> 15:27.140]  We're going to talk about that. In fact, let's talk about it right now. Here's a good list of
[15:27.140 --> 15:35.080]  some of my favorite honeypots. ADHD. Great tool. Comes from Active Countermeasures. It is free.
[15:36.680 --> 15:44.380]  Excuse me. And, you know, go download it. Start playing with it. It has numerous honeypots built
[15:44.380 --> 15:49.300]  into it, a couple of which are my favorite as well. Honey badger and honey badger red.
[15:49.300 --> 15:55.580]  I love honey badger and I'll talk about that coming up. There's another place to generate
[15:55.580 --> 16:03.860]  canary tokens. There is also Open Canary, which is a great honeypot. If you want to build your
[16:03.860 --> 16:11.240]  own custom honeypots out of hardware and software, take a look at the Mozilla project called Web
[16:11.240 --> 16:18.140]  Things. There's a whole framework there that you can actually build your own honeypots with raspberry
[16:18.140 --> 16:26.000]  pies and so on. Teapot is still a good one to get started with. Start playing. There's a new one
[16:26.000 --> 16:31.860]  that replaced the Modern Honey Network a couple of years ago. It's called Community Honey Network.
[16:31.900 --> 16:38.560]  Take a look at that one. Twisted Honeypot's another. But I think you're getting the idea.
[16:38.560 --> 16:47.400]  Also, what about the real thing? What if I have a server that I could install
[16:48.180 --> 16:55.810]  Windows Server on it, whatever year you want to pick, why couldn't that be an actual honeypot?
[16:56.120 --> 17:02.560]  Why does it have to have special software on it to be a honeypot? I'll tell you this right now.
[17:02.560 --> 17:10.980]  I have a mail server in my own personal network that is a fake mail server. If you look at my MX
[17:10.980 --> 17:17.140]  record, you will see that I have a couple of mail servers in there. But then there's this other mail
[17:17.140 --> 17:24.920]  server that sits on the exact same network, but it's not part of the MX record. It's a honeypot.
[17:24.920 --> 17:34.280]  And I catch people trying to spam it and get in and do things all the time because the bots find it.
[17:34.400 --> 17:43.100]  The whole point here is there are lots and lots of honeypots. This is a great website or a GitHub
[17:43.100 --> 17:50.580]  link where the person maintains a great list of all of the honeypots, so keep that in mind. Also,
[17:50.580 --> 17:57.540]  I will be making my slides available after this talk up on my GitHub repo. My GitHub repo is the
[17:57.540 --> 18:05.480]  same as my Twitter handle, Rainbow Cat. So this will be up later tonight. Also, remember I said
[18:05.480 --> 18:14.120]  lateral movement. Lateral movement is critical. And honeypots are one of your best tools to detect
[18:14.120 --> 18:23.580]  lateral movement. Just recently I bought a new IoT device. I plugged it into my network, and one
[18:23.580 --> 18:31.380]  of my honeypots, which is made to detect port scanning, and I have it here in my own place,
[18:31.380 --> 18:38.040]  kind of went off. Why? Because the device that I plugged in started port scanning my network.
[18:39.640 --> 18:45.640]  Without going into details, because I have a bug bounty in place for this, it turns out that the
[18:45.640 --> 18:53.320]  vendor had actually installed somehow some beta... or their testing software, not beta,
[18:53.320 --> 19:00.120]  their testing software got put on a piece of equipment that got shipped to production,
[19:00.120 --> 19:06.700]  that got shipped and purchased. I'm wondering whether that's a true story, but we can talk
[19:06.700 --> 19:12.480]  about that offline. The whole point is we have to find a way to detect lateral movement. Honeypots
[19:12.480 --> 19:18.620]  are the way to do it. We're going to see that. All right. Everyone should know what OODA is.
[19:18.700 --> 19:27.860]  If you don't know what OODA is, you're about to. OODA stands for Observe, Orient, Decide,
[19:27.860 --> 19:33.780]  and Act. And this came from the military. It came from the military on how you do warfare,
[19:33.780 --> 19:40.500]  how you do all of this. And it also was adopted by a lot of security professionals.
[19:40.500 --> 19:49.140]  Well, in the honeypot world, I think we need our own little mnemonic, if you will. And it's
[19:49.140 --> 20:02.840]  called CCAD. CCAD stands for Confuse, Confound, my favorite, Annoy, and, of course, Delay.
[20:02.840 --> 20:10.260]  Why? Because if I can delay an attacker because they're stuck in a honeypot, then I'm going to
[20:10.260 --> 20:18.940]  have more time to find them and keep them from getting into my actual valuable resources.
[20:19.720 --> 20:26.020]  So, yeah. I love this. We'll see it a little more later. Don't forget about monitoring. You can
[20:26.020 --> 20:33.780]  deploy all the honeypots you want, but people keep forgetting to monitor them. I use a great
[20:33.780 --> 20:39.380]  tool. I just put it up here. I don't represent them. It's open source. It's called Wazoo,
[20:39.380 --> 20:47.520]  or some people say Waza. But go take a look at it. It's an agent configuration and also a sim
[20:47.520 --> 20:55.400]  built in. You put the agents on your honeypot. It does a lot of analysis of all the honey data
[20:55.400 --> 21:01.760]  or all the attack data that's coming into your honeypots, sends it up to your sim, and it's
[21:01.760 --> 21:07.480]  tremendous. I just like to mention that because you should pick something to be able to monitor
[21:07.480 --> 21:15.040]  your honeypots. All right. Let's talk about deployment. This is the big part. I can't say
[21:15.040 --> 21:23.940]  it enough. Plan, plan, plan. This should be 90% of your time when it comes to deploying honeypots,
[21:23.940 --> 21:29.760]  especially when it comes to IoT. You can't just build a little IoT honeypot and go,
[21:29.760 --> 21:36.080]  oh, I'll just put it on my network. No. You have to design your network such that it looks like
[21:36.080 --> 21:46.460]  this is a valid honeypot. I'm going to show you coming up a honeypot... let me... I'll stop right
[21:46.460 --> 21:51.820]  there. I'll show you something and we'll talk about it then. Also, two types of honeypots I
[21:51.820 --> 21:57.420]  recommend. Low interaction, medium interaction. We don't need higher interaction honeypots.
[21:58.080 --> 22:05.640]  We want them to get delayed and get stuck, but we don't need them mucking around with things that
[22:05.640 --> 22:11.080]  are very complex and difficult. Most of my honeypots, if I am deploying them within an
[22:11.080 --> 22:16.200]  environment, run on Raspberry Pis. If I could turn my camera, I would show you. I have a
[22:16.200 --> 22:23.440]  table down here that has about 25 Raspberry Pis on it in various forms of
[22:24.520 --> 22:32.440]  destruction and rebuilding and everything. Raspberry Pis are great for it. Also,
[22:32.440 --> 22:41.780]  think about honeyports, honeypots, honeytokens, honeycredentials. It's easy to build a honeypot,
[22:41.780 --> 22:47.100]  but it's also going to be a little more difficult because we have to customize it.
[22:47.180 --> 22:54.080]  And this is where the hard part comes in. This is why I say ding, ding, ding, this is important.
[22:54.260 --> 22:59.400]  I'm going to show you a test coming up here in just a second, and we're going to see how many
[22:59.400 --> 23:05.320]  of you pass. Also, if you're going to put a honeypot out there, real versus self-signed
[23:05.320 --> 23:12.960]  certificates. Self-signed certificates is the most dead-awful giveaway that this is a honeypot
[23:12.960 --> 23:20.960]  versus a real resource. And these days with Let's Encrypt, there's no reason you can't put
[23:21.680 --> 23:32.680]  a real certificate on a honeypot. Also, how difficult would it be if you took an actual
[23:32.680 --> 23:41.220]  application, a production application that you have, but put it on a honeypot server.
[23:41.940 --> 23:48.820]  And you might take maybe some of the data out of it, maybe, you know, ask your application team
[23:48.820 --> 23:58.960]  to modify it a little bit. But the point is, you put the actual application on a honeypot server.
[23:58.960 --> 24:03.980]  So that way, when they're trying to attack it or trying to get into it, it looks like they're
[24:03.980 --> 24:08.980]  getting into something real. I'm going to show you an example of that coming up in just a second.
[24:09.320 --> 24:16.460]  I already mentioned, put a host intrusion detection on it. My favorite being Wazoo,
[24:16.460 --> 24:22.320]  which is a fork of OSEC from several years ago. There are some rules, and you do have to do some
[24:22.320 --> 24:28.680]  tuning work, but it's very, very important. Now, where do you put your honeypots? Well,
[24:28.680 --> 24:35.460]  I put them everywhere. In server farms, in cloud storage, IoT, the IoT one's coming up in a second.
[24:35.460 --> 24:44.000]  Put them out my DMZ, out for mail servers, all over the place. Remember, stop and think about it.
[24:44.560 --> 24:52.720]  You know, you want WordPress, you want Raspberry Pis, spin up some VMs or some VPSs out there.
[24:52.720 --> 25:00.260]  Also, what about a point of sale system? I'll tell you one about that coming up here in just a second.
[25:00.260 --> 25:06.360]  All right, normally this is interactive. It's not very interactive right now, but if you were
[25:06.360 --> 25:13.940]  looking at this, and I'm hoping you can see my mouse, you should be able to. So we see this is,
[25:13.940 --> 25:21.980]  I got into this device. It looks like it says Linux RT AC 5300. Normally, I'm asking everybody
[25:21.980 --> 25:28.880]  in the room, what do you think this is? And most people will yell out, oh, it looks like it's an
[25:28.880 --> 25:41.480]  Asus router, and in fact, it's an AC 5300. No, it's not. It's actually Kauri. Kauri is an SSH
[25:41.480 --> 25:51.280]  Telnet honeypot tool that can be configured to look like just about anything. In my case, what I did
[25:51.280 --> 26:00.120]  is I went to an actual AC 5300. I gathered all of the screenshots and the... not screenshots,
[26:00.120 --> 26:08.620]  all of the data files. I did DFs. I did LSs. I captured all of the data I could off an actual
[26:08.620 --> 26:20.680]  AC 5300. I then went to my Kauri configuration, and I started modifying all of the files here,
[26:20.680 --> 26:29.620]  because that's all you have to do. If you can modify the files, then suddenly this looks like
[26:29.620 --> 26:35.720]  an actual Asus 5300. Now, if we were in my live version of this where people could
[26:35.720 --> 26:44.980]  yell out things, you might yell out, but what about the HTTP interface of the router? Well,
[26:44.980 --> 26:50.760]  that is in here too. I just didn't get a screenshot of it. I should have, but I captured
[26:51.600 --> 26:58.600]  everything from the interface. I logged in. I got all of the HTML files after doing some
[26:58.600 --> 27:05.220]  screen dumps and so on. I then went to my Kauri device. I modified it a little bit because Kauri
[27:05.220 --> 27:11.320]  normally doesn't have a web server on it. Well, because you're installing Kauri on a base version
[27:11.320 --> 27:17.780]  of Linux, there's nothing to stop you from putting Apache on there. I put Apache on there. I put
[27:17.780 --> 27:27.900]  all of my configurations, so when you hit the web interface, it looked exactly like the Asus 5300.
[27:28.260 --> 27:33.500]  Now, here's the hard part. I had to go, well, wait a minute. I can't just drop it on a network
[27:33.500 --> 27:41.740]  somewhere, because why would someone have a wireless router sitting just randomly on a
[27:41.740 --> 27:49.060]  network? No. What I had to do was create a DMZ in my environment, set it up so it looked like this
[27:49.060 --> 27:58.760]  was my Xfinity connection, so anyone coming to my Xfinity system would see an Asus 5300 exposed
[27:58.760 --> 28:05.800]  and think they found the keys to the kingdom. And they would sit there forever trying to break
[28:05.800 --> 28:12.620]  into it, leaving my real firewall, which of course may be pfSense, who knows? Or it might be open
[28:12.620 --> 28:21.380]  sense, because I like that better. The point is, don't forget about the configurations. That's in
[28:21.380 --> 28:28.580]  the customization. But that's how easy it is to take a simple firewall tool, in this case Kauri,
[28:28.580 --> 28:37.340]  and modify it to look like something else. Now, my other question. If you were looking at this,
[28:37.340 --> 28:45.500]  what would you say this is? And of course, actually, let me... oops, wrong one. Let me see
[28:45.500 --> 28:55.220]  if I can see where my Discord window went. Is anybody asking any questions? No. Okay.
[28:55.980 --> 29:02.740]  What I was going to say is, in Discord, tell me, what do you think this is? I'm looking
[29:02.740 --> 29:08.520]  at the Discord channel right now, the top questions text. So does this look like what?
[29:08.880 --> 29:16.340]  OpenVPN? And I know there's a delay, so I'm kind of waiting and waiting and see what anybody says.
[29:16.960 --> 29:26.400]  But it looks like an OpenVPN server. I assume you would all say that. And I'm pausing a little
[29:26.400 --> 29:36.440]  bit to see what Discord says. People are typing. Yes, yes. Okay. But it's not. It's actually
[29:38.160 --> 29:47.620]  a honeypot. What did I do? I installed the OpenVPN server on it, but here's the change.
[29:47.620 --> 29:59.020]  When you click this to download the software, it downloads HoneyBadger.
[29:59.020 --> 30:08.340]  HoneyBadger runs on the attacker's machine. It sends back a trace, and it says,
[30:08.340 --> 30:18.930]  guess where I am? The whole point here is, yes, I used OpenVPN, the actual application.
[30:18.930 --> 30:29.610]  But I modified it so it does things that I want it to do and not just what it was
[30:29.610 --> 30:36.730]  written to do. I have a real OpenVPN server, but this one is fake.
[30:38.550 --> 30:48.990]  Okay. Some more examples. Okay. I mentioned point of sale. I did this at a previous company
[30:48.990 --> 30:54.450]  many, many years ago where we have point of sale servers. They kept getting hacked,
[30:54.450 --> 30:59.990]  and they kept getting hacked with skimmers being put on them. So any time, you know,
[30:59.990 --> 31:05.630]  they were credit card, typical credit card skimmer software. Well, we couldn't find who
[31:05.630 --> 31:12.610]  was doing it. It was happening at multiple locations. So what did we do? We built Raspberry
[31:12.610 --> 31:21.390]  Pis. In this case, it was RPi3s. We took RPi3s, configured them to look exactly like Oracle's
[31:21.390 --> 31:27.290]  micro POS system. So the interface was there, and everything was there. We then drop shipped
[31:27.290 --> 31:36.190]  them to the various locations that we had, and within a week of being installed in our locations,
[31:36.190 --> 31:41.410]  one of them was attacked, and the skimmer software was attempted to be installed,
[31:41.410 --> 31:47.370]  and we finally found out where it was coming from. And it was contractors and blah, blah, blah.
[31:47.370 --> 31:55.770]  Doesn't matter. The point was the honeypots caught the bad actors, all because we stopped
[31:55.770 --> 32:03.970]  and thought about where to put these things, because that's what's important, where to put them.
[32:04.190 --> 32:15.270]  Also, think about compromised credentials. How many people have AWS keys that are stored out
[32:15.270 --> 32:23.770]  in GitHub? And they better be fake AWS keys, because the minute they're compromised, you're
[32:23.770 --> 32:33.730]  going to find out who is really trying to attack you, and not just some fake threat report that
[32:33.730 --> 32:39.190]  comes from some company that says, oh, you're being attacked by this country and these people
[32:39.190 --> 32:43.730]  and blah, blah, blah. Most of the times they're telling you about attacks you already know about.
[32:43.730 --> 32:51.550]  So think about credentials that you can use. And if you ever have a user that comes to you and says,
[32:51.990 --> 32:58.230]  my account was compromised because I clicked on a phishing account. Well, here's what you do.
[32:58.230 --> 33:07.430]  Change their account name right away. Create a honey credential of the one that was compromised.
[33:07.690 --> 33:14.730]  It works every time. This one I don't have time to talk about.
[33:14.730 --> 33:28.390]  I had another one where we had a server room, a data center. And we knew that we had people
[33:28.890 --> 33:38.190]  that seemed to be getting into systems physically. They were connecting up a crash cart and they
[33:38.190 --> 33:43.590]  were logging into servers. We couldn't catch them because the entire place wasn't covered by
[33:43.590 --> 33:51.270]  cameras. This was maybe about ten years ago. So we had an issue. But I guess it wasn't ten years
[33:51.270 --> 33:57.470]  ago. It was more like eight. What we did was we created QR codes. We stuck them on the bottom
[33:57.470 --> 34:05.190]  of these servers. And if you scanned it, because we told people about it, if you scanned it,
[34:05.190 --> 34:11.570]  it would give you emergency credentials to log in to fix a server. Well, no. What it really did was
[34:11.570 --> 34:17.870]  emailed us saying that somebody just scanned the QR code. And that's how we found who was doing it.
[34:17.870 --> 34:24.790]  Again, honeypots. I already told you about my mail server. This is an easy one to do. And it's not
[34:24.790 --> 34:37.410]  that hard. Also, set up a webcam, a fake one, of course. It's very easy to mimic what a webcam
[34:37.970 --> 34:47.190]  software looks like on a Raspberry Pi. You can expose it on your internet via some port routing
[34:48.490 --> 34:56.470]  between your firewall and everything. And even if it's just on your DMZ. The point here is I did
[34:56.470 --> 35:04.190]  this years ago. If you all remember Mirai, I had done this. I had fake webcams out on my network.
[35:04.190 --> 35:10.830]  I didn't always get a chance to analyze them. Because I didn't have them set up pointing to a
[35:10.830 --> 35:18.990]  sim. So, this is how I learned I need to get a sim set up and have everything being correlated
[35:18.990 --> 35:26.050]  and analyzed. Because I found out that I had the Mirai payload on one of my honeypots two months
[35:26.050 --> 35:35.250]  after Mirai hit. The problem was the payload had been dropped two months before Mirai hit. So,
[35:35.250 --> 35:42.270]  if I had only been looking at my honeypots more regularly, I might have found Mirai before it
[35:42.270 --> 35:53.790]  actually did what it did. Oh, well. Think of S3 buckets. When you stop and think about IoT devices,
[35:53.790 --> 36:00.010]  what do they talk to? They talk to the cloud. In many cases, they talk to all sorts of things in
[36:00.010 --> 36:07.050]  the cloud. And they can also talk to S3 buckets and drop data in it. Put a fake S3 bucket out
[36:07.050 --> 36:13.550]  there. Generate some weird data. Drop it in there. Put some fake credentials out that are available
[36:13.550 --> 36:19.110]  that would access that S3 bucket. And then when the credentials are compromised, you get an alert
[36:19.110 --> 36:24.870]  for that. But then when they're used to access the S3 bucket, which has bogus data in it, you also
[36:24.870 --> 36:33.070]  know who's actually actively trying to attack. Think about honey ports. This is going to be
[36:33.070 --> 36:39.830]  important. We're going to have to speed up because I have a little less time. Here's an example of a
[36:39.830 --> 36:46.190]  great honeypot tool. This is on the ADHD package that you can look at. It's called Port Spoof.
[36:46.190 --> 36:53.450]  So here you see I did an Nmap from port 200 to port 300 of a host called Gonzo. And it returned
[36:53.450 --> 37:01.050]  all of these funky, what are pretty normal services and so on that you see running on there.
[37:01.070 --> 37:08.110]  But what really happened is this is running a tool called Port Spoof. And Port Spoof actually
[37:08.110 --> 37:17.030]  only listens on one port, but it has some redirect via IP tables on that server. So anything that
[37:17.030 --> 37:26.890]  hits it, it says, oh, let me go and return all of this bogus data. But here's the best part of it.
[37:26.890 --> 37:34.010]  Because this one returned pretty quickly. But here's another example. Here we see that, okay,
[37:34.730 --> 37:45.210]  oops, the attacker decided to do an Nmap minus A of Gonzo. So we see we've got four minutes,
[37:45.210 --> 37:54.970]  43 seconds elapsed. It's still running its stealth scan, doesn't find much. It says it's got 75%.
[37:56.770 --> 38:06.250]  We've got nine minutes, 58 seconds. A minute 30, it says it's got remaining. It's still running
[38:06.250 --> 38:14.090]  here. It's only at 77%. And it's still going. And actually, I'm sorry, looking at the wrong
[38:14.090 --> 38:21.610]  numbers over here. My timing is over here. It went from 453 to 739. And it only made it 3%.
[38:22.230 --> 38:31.650]  Why? Because port spoof actually slows it down. It's like a tar pit. It drags it in. Remember
[38:31.650 --> 38:42.610]  CCAD, that D is delay. If I can delay the attacker while they screw around trying to attack this host
[38:43.270 --> 38:51.770]  in my own network, then the odds are I will have spotted them because my sim will alert me when
[38:51.770 --> 39:00.170]  port spoof triggers. Simple. So now I know where they're coming from. I know what they're trying
[39:00.170 --> 39:07.550]  to do. Yeah. You know, think about this. Also, I will mention this one. I have a screenshot of it.
[39:07.550 --> 39:16.150]  I may add it in here. I'm sure you all have heard of, have I been pwned? And a lot of people go
[39:16.150 --> 39:22.310]  there. They put in their email address. And they get a report back saying whether it's been
[39:22.310 --> 39:29.110]  compromised or not. I was thinking about that one day. And I stood up a funky domain similar
[39:29.110 --> 39:36.030]  to have I been pwned. It was only up for about a week. I took it down very quickly because I was
[39:36.030 --> 39:43.450]  very surprised. It said have I been pwned, but instead of asking you to enter your email address,
[39:43.450 --> 39:51.250]  it asked you to enter your password to check to see if that password has been compromised.
[39:51.250 --> 40:01.250]  In one week, I had thousands of people typing in their passwords. I was floored, thinking,
[40:01.250 --> 40:08.870]  good Lord, all I did was stand up a simple website that said here, enter your password.
[40:08.870 --> 40:20.430]  And people started doing it. It's crazy what people do. This is why honeypots have so much
[40:20.430 --> 40:31.570]  power in gathering information. So please, this is a dated quote. It's from 2014.
[40:31.810 --> 40:38.430]  But I think you all would agree. 84% of organizations that were breached had evidence
[40:38.430 --> 40:44.990]  of the breach in their log files. The problem is logging of all their actual applications
[40:45.530 --> 40:55.710]  is terabytes and petabytes and so on. It's huge. But honeypots are not going to be false
[40:55.710 --> 41:04.050]  positives. Honeypots, when they are triggered, they are real attacks. Why? Because you don't
[41:04.050 --> 41:09.990]  just drop them all over the place. I did have one place that we put a bunch of honeypots and
[41:09.990 --> 41:17.090]  we had all the department or the main department head actually told all the other managers where
[41:17.090 --> 41:23.850]  we put the honeypots. And I was like, seriously, why did you do that? The whole point of having
[41:23.850 --> 41:30.910]  internal honeypots is to catch insider threats, not for you to tell everybody. So we had to pull
[41:30.910 --> 41:37.050]  them all back, wait about a month, and then redeploy them so nobody knew where they are.
[41:37.050 --> 41:43.330]  The point here is planning about where you're going to put honeypots. So here are your key
[41:43.330 --> 41:52.590]  takeaways from today. Remember CCAT. Confuse, confound, annoy, delay. Also, honeypots have
[41:52.590 --> 42:02.930]  low false positives. Feed them to a separate sim. Don't feed them to the same sim that you have
[42:03.630 --> 42:12.070]  collecting all your other data. They are great tools for detecting lateral movement. Why? Because
[42:12.070 --> 42:18.230]  what are people looking for when they get inside your environment? I can only imagine if Equifax
[42:18.230 --> 42:22.950]  had real honeypots inside their network, they might have actually caught them before they got
[42:22.950 --> 42:28.390]  away with things. They're cost effective as hell if you're not going out and spending money on
[42:28.390 --> 42:35.930]  commercial versions. And remember, honeypots are there to defend but mostly to detect your
[42:35.930 --> 42:43.790]  environment. And what I really want to say is honestly the... well, I'll get to it in a sec.
[42:43.790 --> 42:55.650]  Let's talk about this. If you want to only work with IoT honeypots, I recommend Home Pwn. It's a
[42:56.610 --> 43:05.390]  a kit for testing and looking at IoT devices. But what I use it for is for gathering all of the
[43:05.390 --> 43:11.670]  screenshots, the data and everything of white bulbs and thermostats and all these things so I
[43:11.670 --> 43:19.130]  can mimic them and make my honeypots look exactly like those devices. That's one of the things I do
[43:19.130 --> 43:25.230]  with it. Also, honeypots are great for forensics. Keep that in mind. Hell, I had Mirai. I just didn't
[43:25.230 --> 43:31.850]  know I had it. But what I really think is important here is honeypots are real threat intel.
[43:32.110 --> 43:41.550]  They are not fake threat intel. They are giving you information that is valid on who's attacking
[43:41.550 --> 43:49.670]  you. It's about thinking differently. I can't watch hundreds of thousands of servers in my
[43:49.670 --> 43:56.890]  environment every day unless I start to think about it slightly differently. And that's what
[43:56.890 --> 44:06.370]  we do with honeypots. So I can't say it enough. Plan, plan, plan. That is the key thing. Honeypots
[44:06.370 --> 44:15.110]  are easy to deploy, but planning the deployment is what's important. Thank you all very much.
[44:15.110 --> 44:24.010]  I hope you enjoyed this talk. I will be posting my slides. I am working on an actual honeypot
[44:24.010 --> 44:30.710]  customization workshop. I'm almost there. I've done a couple of walkthroughs. The problem has
[44:30.710 --> 44:38.310]  been I need to work on the labs. But once I get this done, I'm going to give it for free virtually.
[44:39.270 --> 44:46.270]  So, yeah, I'll be doing that. Watch my Twitter feed. You'll see information about that coming
[44:46.270 --> 44:51.350]  up within a couple of months. I have to get through my move from where I am now out to
[44:51.350 --> 44:58.670]  Washington. So thank you all very much. Hope you had a good time. Hope you liked my spice rack
[44:58.670 --> 45:05.050]  joke. If not, oh, well. And here's to Casa Noble and Yeho Tequila.
